On Thu, Aug 16, 2012 at 12:48:21PM -0400, Simon Brereton wrote: > I have a line like this in my logs: > mail #554 5.7.1 <SPEXCH07.sp.com>: Helo command rejected: Host not > found ## > > This is clearly because I have reject_invalid_helo_name in my > main.cf
No. You are confusing "invalid" and "unknown". The hostname format of "SPEXCH07.sp.com" is valid, but no such name exists in the DNS. > Unfortunately, the fools at steelpartners.com have decided it's > quite okay to helo with sp.com (which actually resolves to Scottish > Power). I'm reluctant to remove this as it stops about 25% of my > spam attempts. And you might also be confusing "non_fqdn" and "invalid". Both reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname are reasonably safe IME. The latter is also very effective against zombies. OTOH reject_unknown_helo_hostname is not safe for reasons such as this. I don't recommend it unless you are prepared to accept some blockage of non-spam. > I thought about adding it to > /etc/postfix/helo_checks but that is checked AFTER permit my > networks, so it wouldn't do any good - right? How so? That makes no sense. Of course you would not apply strict helo checks against your own users. You want permit_mynetworks to apply before spam-blocking restrictions. (Ideally, you want to completely separate your MX stream from submission. You would not have any permit_* restrictions on the MX stream.) > If I added in a check_helo_access before reject_invalid_helo_name > that would work, yes? Or would it be better to turn that line > into warn_if_reject? warn_if_reject is fine for testing, but it just clutters your logs when you know you don't want to use a certain restrictions. > What do other's feel about that line? Answered that already, but I'll go on to say that I don't think the confusion will be cleared until you share the postconf -n and logs. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
